[keycloak-user] OIDC Client dynamic registration
Виталий Ищенко
betalb at gmail.com
Tue Sep 19 13:59:50 EDT 2017
Hi
I was playing with example from openid-client nodejs package, it has
examples with custom keys and key signing/encryption algorithms
Some registration requests fail with NPE exception like this
Caused by: java.lang.NullPointerException
at org.keycloak.util.JWKSUtils.getKeyForUse(JWKSUtils.java:49)
at
org.keycloak.services.clientregistration.oidc.DescriptionConverter.setPublicKey(DescriptionConverter.java:135)
at
org.keycloak.services.clientregistration.oidc.DescriptionConverter.toInternal(DescriptionConverter.java:102)
at
org.keycloak.services.clientregistration.oidc.OIDCClientRegistrationProvider.createOIDC(OIDCClientRegistrationProvider.java:74)
Registration request was following
{
"post_logout_redirect_uris": [
"http://localhost:3000/"
],
"redirect_uris": [
"http://localhost:3000/cb"
],
"grant_types": [
"authorization_code"
],
"response_types": [
"code"
],
"userinfo_encrypted_response_alg": "ECDH-ES+A128KW",
"jwks": {
"keys": [
{
"kty": "EC",
"kid": "pZtihA2ZjNh3qrPg3OUSZdpWatODXiUw_6ThWYqJ7gw",
"crv": "P-256",
"x": "qoBR4Zhj1RlMIF4TVfibVkApY1j2J1NdPUWTx_gKFlQ",
"y": "cbZ3J1Y_OZXF0YhOerMVoqq5hRoe6G3xw21va5drqf0"
}
]
}
}
I overcome this issue by patching library and adding use: sig attribute to
jwks key, but it seems that this attribute is not required by spec
https://tools.ietf.org/html/rfc7517#section-4.2, and even if it is required
from app perspective, NPE should be replaced with something more meaningful
Other issues that I've faced after bypassing NPE -- registrations, that use
unsupported algorithms like above doesn't fail, is it correct behaviour?
More information about the keycloak-user
mailing list